Security Flaws on the Rise, Questions Remain

Pervasive bugs in Web applications contributed to the first major increase in publicized security vulnerabilities in three years, though different databases offer competing figures on the number of security risks discovered in recent years. A recent examination of four major databases consistently indicated a spike in vulnerabilities stemming from easily discovered flaws in Web applications and a doubling of the number of errors found in software, and security analysts believe that such vulnerabilities will not disappear any time soon. The National Institute of Standards and Technology (NIST) has developed the National Vulnerability Database that uses the Common Vulnerability Scoring System to produce a standardized reading of security flaws. Because each of the four databases surveyed uses different cross-referencing techniques and editorial policies, meaningful comparisons are difficult. CERT, which was one of the databases surveyed, reported 5,198 vulnerabilities in 2005, though that finding has been disputed. Whatever the figure, CERT’s conclusion that 2005 saw a spike in vulnerabilities is legitimate and widely agreed upon. Most vulnerabilities are not catastrophic, however. “Web-based vulnerabilities are all over the place and they are really easy to find–they are the low-hanging fruit,” said Symantec’s David Ahmed. “We have had high-profile vulnerabilities, but that is not what is driving this increase.” Computer scientists are more concerned with flaws embedded in the software developed by major companies. It should also be noted that any analysis of software vulnerabilities does not concern products developed in the current year. “These numbers are showing the state of practice from a few years ago, rather than what the current state of practice is today,” said CERT’s Jeff Havrilla.